Speed Up Your Snort IDS

Implementing a intrusion detection and prevention can be a challening task, especially in network environment with high traffic loads. Maybe you're one of the countless people who use the open-source Snort intrusion detection system. If you are then maybe you also write your own detection rules once in a while.

Just like source code for any application, the way a rule is written affects its performance. Poorly written rules take more time to process. A few extra microseconds of processing time here and there might not seem like a big deal but when you consider an overall traffic load those microseconds add up to full seconds real fast, and of course those seconds add up to minutes. The more efficient you write your rules the more efficient your IDS system runs and the less likely it is that some sort of anomolous traffic becomes dropped.

The obvious question that arises is how can you determine how effecient your rules are? An easy way is to use the TurboSnortRules online benchmarking tool, sponsored by VigilantMinds. TurboSnortRules is a Web-based service that lets you enter a rule and test its performance against a set of control data.

You can also use the online database to lookup rules that exist in the Snort distribution and rules that have been submitted for testing by people who use Snort. The database is a good way to find rules you might need but don't want to write yourselves and the related performance data shows you how well those rules perform on several difference versions of Snort.